netfilter: flowtable: use tuple address to calculate next hop

This simplifies IPIP tunnel support coming in follow up patches.

No function changes are intended.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index ee6ec63257d11967065935e54f9980aa772e29a5..083ceb64ac17a88ecaa0dc782e1089f77e0210f3 100644 (file)
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -480,6 +480,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 {
        struct flow_offload_tuple_rhash *tuplehash;
        struct nf_flowtable *flow_table = priv;
+       struct flow_offload_tuple *other_tuple;
        enum flow_offload_tuple_dir dir;
        struct nf_flowtable_ctx ctx = {
                .in     = state->in,
@@ -488,6 +489,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
        struct flow_offload *flow;
        struct neighbour *neigh;
        struct rtable *rt;
+       __be32 ip_daddr;
        int ret;
 
        tuplehash = nf_flow_offload_lookup(&ctx, flow_table, skb);
@@ -510,8 +512,10 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 
        dir = tuplehash->tuple.dir;
        flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
+       other_tuple = &flow->tuplehash[!dir].tuple;
+       ip_daddr = other_tuple->src_v4.s_addr;
 
-       if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
+       if (nf_flow_encap_push(skb, other_tuple) < 0)
                return NF_DROP;
 
        switch (tuplehash->tuple.xmit_type) {
@@ -522,7 +526,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
                        flow_offload_teardown(flow);
                        return NF_DROP;
                }
-               neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr));
+               neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, ip_daddr));
                if (IS_ERR(neigh)) {
                        flow_offload_teardown(flow);
                        return NF_DROP;
@@ -787,11 +791,13 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 {
        struct flow_offload_tuple_rhash *tuplehash;
        struct nf_flowtable *flow_table = priv;
+       struct flow_offload_tuple *other_tuple;
        enum flow_offload_tuple_dir dir;
        struct nf_flowtable_ctx ctx = {
                .in     = state->in,
        };
        struct nf_flow_xmit xmit = {};
+       struct in6_addr *ip6_daddr;
        struct flow_offload *flow;
        struct neighbour *neigh;
        struct rt6_info *rt;
@@ -817,8 +823,10 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 
        dir = tuplehash->tuple.dir;
        flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
+       other_tuple = &flow->tuplehash[!dir].tuple;
+       ip6_daddr = &other_tuple->src_v6;
 
-       if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
+       if (nf_flow_encap_push(skb, other_tuple) < 0)
                return NF_DROP;
 
        switch (tuplehash->tuple.xmit_type) {
@@ -829,7 +837,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
                        flow_offload_teardown(flow);
                        return NF_DROP;
                }
-               neigh = ip_neigh_gw6(rt->dst.dev, rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6));
+               neigh = ip_neigh_gw6(rt->dst.dev, rt6_nexthop(rt, ip6_daddr));
                if (IS_ERR(neigh)) {
                        flow_offload_teardown(flow);
                        return NF_DROP;